Quarterly and Annual Monitoring Requirements
All departments that accept credit or debit cards as a form of payment must perform certain processes on a quarterly and annual basis to ensure ongoing compliance.
Reason for Directive
Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ credit card data. Payment Card Operations must ensure continuing compliance with the Payment Card Industry (PCI) Data Security Standards (DSS) as well as the UF Credit Card Merchant Policy.
Who Must Comply?
All University departments whose personnel store, process or transmit cardholder information. This also applies to units that outsource the processing of payment card information to third party vendors.
At a minimum quarterly, departments must perform the following processes :
- Perform a programmatic (automatic or manual) removal of stored cardholder data that exceeds requirements defined in the data retention policy
- Change user passwords
- Run internal and external network vulnerability scans, if the applicable UF implementation(s) trigger an according PCI DSS requirement (contact Payment Card Operations for more details)
At a minimum annually, departments must perform the following processes:
- Test Incident Response Plan
- Ensure all workforce members (employees, students or volunteers) who work with (process, store, or transmit) credit/debit cards successfully complete the applicable annual training TRM125: Payment Card Security Awareness Training
- Require personnel to acknowledge that they have read and understood the University’s security policy and procedures, as documented by signature on the Credit Card Security Ethics Certification, as included in the training course TRM125.
- Submit documentation of the following actions to Payment Card Operations:
- Completed PCI DSS Self-Assessment Questionnaire
- Monitor and report on PCI status of third-party service providers
- Review the departmental payment card procedures and update as needed
- Verify that the information security policy includes an annual risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment
Note: The UF Office of Information Security and Compliance has the authority to perform such assessments
All departments that accept credit or debit cards are required to meet with a representative from Payment Card Operations on an annual basis. The agenda will include, but is not limited to, credit and debit card security, inventory analysis and PCI compliance. The meeting will be scheduled at the department and unit’s availability. For the meeting, departments will need to have accessible:
- All documentation detailed for the annual processes above
- All credit and debit card accepting terminals, devices, and implementations to confirm and verify the inventory
- All departmental credit and debit card processing procedures
- Network Diagram (PDF)
05/01/2020: reviewed content
TRM125 – Payment Card Security Awareness Training
Treasury Management/Payment Card Operations: (352) 392-9057